We're covering some security topics in the ITPro class tonight; since we only have a few hours for the session, certain things have been left out of the curriculum -- it's impossible to give everything it's due. While I'm on the topic, I didn't choose the curriculum! None-the-less, cryptography is one topic that many students ask about, so perhaps I can address the questions before they're asked . . .
First, Hashing and Encrypting are different. A hash is a one-way distillation of the content that can be used for equality checks; it's likened to a fingerprint. Fingerprints can be used to identify content (and compare one fingerprint to another), but you cannot reconstitute the entire content based on the fingerprint. Hashing is a one-way trip. See the .Net docs on FormsAuthentication.HashPasswordForStoringInConfigFile for a very easy example.
Encrypting can be a round-trip, provided you've got the same security key etc. Folks are usually just interested in the code, and basic/easy examples of encrypting/decrypting are harder to come by, so I'll stop beating around the bush and deliver the code for a quick Console application:
string strVar = getEncryptedText( "Colorado Avalanche", "test1234", "12345678" ) ;
Console.WriteLine( strVar ) ;
Console.ReadLine() ;
Console.WriteLine( getDecryptedText( strVar, "test1234", "12345678" ) ) ;
Console.ReadLine() ;
The above doesn't tell you anything besides demonstrating a sample usage of the following getEncryptedText and getDecryptedText:
private static string getEncryptedText( string strPlainText, string strKey, string strIV )
{
byte[] arrBytes = Encoding.Default.GetBytes( strPlainText ) ;
MemoryStream mem = new MemoryStream() ;
SymmetricAlgorithm symAlg = SymmetricAlgorithm.Create( "RC2" ) ;
symAlg.Key = Encoding.Default.GetBytes( strKey ) ;
symAlg.IV = Encoding.Default.GetBytes( strIV ) ;
ICryptoTransform icrypto = symAlg.CreateEncryptor() ;
CryptoStream cryptStream = new CryptoStream( mem, icrypto, CryptoStreamMode.Write ) ;
cryptStream.Write( arrBytes, 0, arrBytes.Length ) ;
cryptStream.Close() ;
byte[] arrBytes= mem.ToArray() ;
return Encoding.Default.GetString( arrBytes ) ;
}
private static string getDecryptedText( string strCryptoText, string strKey, string strIV )
{
byte[] arrBytes = Encoding.Default.GetBytes( strCryptoText ) ;
MemoryStream mem = new MemoryStream() ;
SymmetricAlgorithm symAlg = SymmetricAlgorithm.Create( "RC2" ) ;
symAlg.Key = Encoding.Default.GetBytes( strKey ) ;
symAlg.IV = Encoding.Default.GetBytes( strIV ) ;
ICryptoTransform icrypto = symAlg.CreateDecryptor() ;
CryptoStream strm = new CryptoStream( mem, icrypto, CryptoStreamMode.Write ) ;
strm.Write( arrBytes, 0, arrBytes.Length ) ;
strm.Close() ;
return Encoding.Default.GetString( mem.ToArray() ) ;
}
These two functions accept a key and IV (Initialization Vector) to encrypt and decrypt the text . . . so you're burden now becomes how to secure the Key (as I understand it, IV is not necessary to keep secret). For details on keeping your keys safe, check out this section from Keith Brown's online book.
If you're looking for a good general source on .Net security, check out O'Reilly's Programming .Net Security. My code above draws on their summary treatment of CryptoStreams and the various .Net implementations of algorithms like RC2 and SHA1, etc.
Happy Secure .Netting!
Building on my recent certification post, let me offer a few other sources for certification commentary.
Is Certification a Tax We Developers Must Pay?
Martin “UML and XP Expert” Fowler discusses Agile Certification and comments that “certification has little correlation to competence.” Although I have the developer certs from Microsoft (and even one from Sun Microsystems!), I have to agree with Martin. Just because you have the certification, doesn't make you a strong software developer. In the current climate, employers and particularly recruiters look for buzzwords and acronyms to fill a job -- certifications are an easy benchmark for employers to rely on. I have a friend who got a position with a big IT company and they never did any form of technical interview, mostly because those who made the hiring decisions were in Human Resources and wouldn't know WSDL from WD-40. Having those certifications on the resume make you more attractive to employers, even if all you did was memorize a Transcender exam prep CD. I do the cert exams because it's an insurance policy that I won't get passed over by the less experienced developer who memorized some exam questions; it's like a Software Developer Cert Tax that I'm obliged to pay. Besides that, I do like the intellectual challenge of puzzling out the answers to the questions. Call me compulsively analytical (as my wife is prone to do sometimes).
It's unfortunate and I hope companies look beyond the Certs to see if there is real substance to the candidate. There are other ways to certify, last I knew Java's premium developer certification required submitting functioning applications and source code for review . . . I'm sure it's a pain to grade an exam like this, but just multiple choice questions (or multiple guess, for some people!) can't continue to cut it. As Martin Fowler points out in his post, however, certification has become an industry to itself and has a vested interest in maintaining the status quo.
Cert Exam Hell Narrowly Diverted
Joseph Cooney shares a bad planning for a cert exam experience story. It has a happy ending, though, and Joseph continues batting 1000 in cert exams. For what it's worth, the only cert exam I didn't pass was the old analyzing requirements for VB 6.0 -- I failed by 1 point. Something like 740 was needed to pass, and my score came up 739. This was five years ago, now, and I was still relatively new to the industry . . . but I'm proud to say I took the same exam two days later and passed it with room to spare.
Darrell Norton Has A Nerd Crush on UML
Let's not forget that Microsoft isn't the only Certifier out there. Darrell Norton took the UML Certification exam from IBM earlier this year and lived to tell about it. This is also a way for me to get Darrell back for outting me about my Nerd Crush on Johnnie “Flash“ Robbins. Let's see . . . where was I? I want to take this exam because 1) I think it'd be cool to validate my understanding of UML and 2) I think it's a key way to distinguish yourself in the eyes of customers/employers (see Is Certification a Tax We Developers Must Pay? above) -- UML isn't the sort of thing you cram for the night before (at least I hope not).
Happy .Netting!